Predicted next Nuclear IPs - Feb 22, 2014

Sat, Feb 22 2014
#DhiaLite - Predicted next IPs to host NuclearPack EK subdomains

Nuclear started today on 198.50.143.65

https://twitter.com/jedisct1/status/437298370973937664
https://twitter.com/DhiaLite/status/437315196076314624

198.50.143.65 is part of the range 198.50.143.64 - 198.50.143.79 sub-allocated at OVH

Although, IPs in this range have been used to host older content
http://pastebin.com/SX5R69vY

they all have the same server setup as shown below

PORT    STATE    SERVICE      VERSION
22/tcp  open     ssh          OpenSSH 5.5p1 Debian 6+squeeze4 (protocol 2.0)
80/tcp  open     http         nginx web server 0.7.67
445/tcp filtered microsoft-ds
Service Info: OS: Linux

Based on previous similar studied patterns discussed in
http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/

we predict Nuclear will ride in the next days on the remaining IPs of this range 198.50.143.64 - 198.50.143.79

Furthermore, the current Nuclear subdomains are using

dns1.pirozhkoff.ru and dns2.pirozhkoff.ru as nameservers

dns1.pirozhkoff.ru is hosted on 198.50.212.139
which is part of the OVH sub-allocated range 198.50.212.136 - 198.50.212.143

reserved by the bad actor "Penziatki". This actor has been covered before for example in http://blog.dynamoo.com/search/label/R5X.org

The same actor reserved these ranges

198.50.212.128 - 198.50.212.131
198.50.212.132 - 198.50.212.135
198.50.212.136 - 198.50.212.143

dns2.pirozhkoff.ru is hosted on 198.50.230.198
which is part of 198.50.230.196 - 198.50.230.199

The suspicious actor behind reserving that OVH range is also behind these ranges discussed in
http://labs.umbrella.com/2014/02/14/when-ips-go-nuclear/

198.50.230.192 - 198.50.230.195
198.50.230.196 - 198.50.230.199
198.50.230.200 - 198.50.230.203
198.50.230.204 - 198.50.230.207
198.50.230.208 - 198.50.230.215
198.50.230.216 - 198.50.230.223

Block/monitor these ranges